A unified machine-checked model for multithreaded Java

Size: px

Start display at page:

Download "A unified machine-checked model for multithreaded Java"

Kory Hines
5 years ago
Views:

1 A unified machine-checked model for multithreaded Java Andre Lochbihler IPD, PROGRAMMING PARADIGMS GROUP, COMPUTER SCIENCE DEPARTMENT KIT - University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association 1

2 Motivation JMM formalisations by Sevcik/Aspinall and Petri/Huisman no connection to operational semantics SC formalisations of Java (bytecode) Incorrect claims about the JMM supported optimisations litmus tests What is intra-thread consistency? Memory allocations and initialisations problematic unified, machine-checked model of multithreaded Java 2 2

3 Jinja [Klein, Nipkow TOPLAS'06] big-step small-step type safety source code veri fied com piler stage 1 stage 2 λ = Isabelle β HOL α sequential VM type safety bytecode verifier byte code Java features: clses, objects & fields inheritance & late binding exceptions imperative features not modelled: reflection & cls loading interfaces threads 3 3

4 JinjaThreads [ESOP 10] conc. small step interleaving semantics concurrent VM big-step small-step type safety source code veri fied com piler stage 1 stage 2 λ = Isabelle β HOL α single-thread sequential VM VM type safety bytecode verifier byte code Java concurrency features: arbitrary thread creation synchronisation thread join & interruption wait / notify not modelled: java.util.concurrent final fields 3 3

5 JinjaThreads conc. small step interleaving Java Memory semantics Model concurrent VM big-step small-step type safety source code veri fied com piler stage 1 stage 2 λ = Isabelle β HOL α single-thread sequential VM VM type safety bytecode verifier byte code Prove: DRF guarantee Type safety No thin-air reads Compiler correctness 3 3

6 Isolated traces of threads JMM: Type information and array lengths are not affected. initially: v = 0; w = null; r1 = v; r2 = new int[r1]; v = 1; r3 = w; r4 = r3.length; w = r2; print r4; // when to print 1? r4 = r3.length unobservable intra-thread consistency spans threads 4 4

7 Interleaving semantics for types single-thread semantics t x, T x', T' interleaving interleaved semantics t σ, T σ', T'

8 Interleaving semantics for types single-thread semantics t x, T x', T' interleaving interleaved semantics t σ, T σ', T' type info array lengths

9 Interleaving semantics for types single-thread semantics t x, T x', T' interleaving interleaved semantics t σ, T σ', T' locks thread-local states wait sets type info array lengths

10 Interleaving semantics for types single-thread semantics t x, T x', T' interleaving interleaved semantics t σ, T σ', T' new thread x / lock l / unlock l / wait w / notify w /... locks thread-local states wait sets type info array lengths

11 Interleaving semantics for types single-thread semantics t x, T x', T' interleaving interleaved semantics t σ, T σ', T' typeoft a = Cls C P C Thread P C sees run() = body t (addr a).start(), T [NewThread body] Unit, T

12 Interleaving semantics for types single-thread semantics t x, T x', T' interleaving interleaved semantics t σ, T σ', T' typeoft a = Cls C P C Thread P C sees run() = body t (addr a).start(), T [NewThread body] Unit, T σ, T σ, T [] t σ, T σ', T' σ, T obst() : E σ', T' E trace E: σ, T E := E'. σ, T E' E = concat(e') intra-thread consistency: program = maximal traces of interleaving

13 Axiomatic JMM trace obtain po, hb, so well-formedness legality Deviations: no thread divergence actions thread interruption via volatile field ordinality of so and po synchronisation order ω+ω program order ω+ω no ssw edges and legality constraint 8 initialisations: happen before all other actions location type may depend on read values v = 1; r1 = (v == 1? new int[1] : new bool[1]); r2 = r1[0]; // read 0 or false 6 6

14 DRF guarantee Proof outline for correctly synchronized programs: If each read sees a write that happens before it, execution is SC. If not, find first violating read r, obtain SC completion from r on, and show that r and the writes are part of an hb data race. by induction: justifying executions are SC. I 7 7

15 SC completions SC defined w.r.t. happens-before traces coinductive coinductive characterisation of SC prefixes allocation precedes read access construct SC completion via corecursion cut-and-update property for thread semantics requires type safety restrict reads to read only type-correct values disallows reordering with object creation: r1 = x; y = new Object(); r1 == y? r2 = y; x = r2; 8 8

16 Summary Unified model for multithreaded Java (bytecode) in Isabelle/HOL usable for proving metatheoretic results Future work remedy type restriction type safety correctness of the bytecode verifier and compiler 9 9

Verifying a Compiler for Java Threads

Verifying a Compiler for Java Threads Andreas Lochbihler IPD, PROGRAMMING PARADIGMS GROUP, COMPUTER SCIENCE DEPARTMENT KIT - University of the State of aden-wuerttemberg and National Research Center of